The mobile industry is coming under increasing pressure to do more to combat Authorised Push Payment (APP) fraud. The most common scenario (and the reason our industry is in the spotlight) is where a victim receives a call or message from a fraudster and is manipulated into making a payment to them. The call or message is often from a spoofed number or sender ID, making it appear to be from their bank or another legitimate organisation.
The growing volume and sophistication of these types of payment fraud schemes are causing significant financial and emotional harm to their victims, who often lose their life savings. While the focus remains on the banks and payment service providers, governments and regulators are turning to the mobile operators who carry the calls and messages to take action, and in some cases, share the liability. The last two years have seen some notable developments, such as: –
- Singapore has introduced a Shared Responsibility Framework which assigns duties and responsibilities to financial institutions, telecommunications operators and consumers.
- The proposed EU Payment Services Regulation places more responsibility on operators and other communication service providers to establish dedicated communication channels with payment service providers.
- Australia has introduced a Scams Prevention Framework, which imposes a range of obligations on regulated sectors (currently these are: telecoms, digital platforms and banking) with strict penalties for organisations that fail to comply with the framework’s requirements.
As a result, impacted operators are often required to implement stringent anti-scam measures, which often involve substantial investments in technology and infrastructure. For example, the implementation of call certification standards (such as STIR/SHAKEN in the USA) requires operators to upgrade their networks to support the authentication of caller identities, an extremely costly and complex process with no guarantee of success.
We are also seeing more cross-sector collaboration between financial institutions and operators to develop strategies that detect and prevent fraud and scams. One such example is GSMA’s and UK Finance’s launch of the ‘Scam Signal’ API in the UK, which uses operator network intelligence and customer data to identify social engineering attempts. Other GSMA Open Gateway APIs built to fight fraud, such as SIM Swap, Number Verify and Know Your Customer, are being launched in different countries around the world.
So how does GSMA’s T-ISAC help to fight fraud and scams?
Mobile operators, banks and payment service providers are working closely to share information and collectively enhance their fraud management capabilities to better protect consumers and businesses exposed to fraud. There are the usual concerns around privacy and competition, but the pressure is mounting to such a level, and the arguments for protecting customers, especially vulnerable ones, are so strong that we are seeing some existing barriers slowly being removed. An example is the UK’s Information Commissioner’s Office issuing formal guidance on sharing personal information for the prevention, detection and investigation of scams.
Many questions remain to be resolved, however, such as where operators should focus their efforts. There is a lot of data on both sides, and some of it is only effective if shared in real-time, while other data sets can remain effective for days, weeks or even months. Which data sharing has the most impact, and what could we potentially stop doing to focus on the higher-impact sharing? These questions are best answered through the experience and expertise of groups such as the T-ISAC community and those in the payment services industry. By addressing these questions now, operators will be in a stronger position to discuss a regulator’s concerns and demonstrate the work that the industry is doing to collaborate with other sectors, including with regulators, to protect consumers.